Amendments to the Claims 



Applicants respectfully request reconsideration of this application as amended. 
Claims 1-51 were pending. Claims 1, 6, 13, 15-16, 19, 21-25, and 28-51 have been 
amended. No claims have been added. Claims 12, 14, 18, 20, 43, and 45-46 have been 
canceled without prejudice. Claims 1-11, 13, 15-17, 19, 21-42, 44, and 47-51 remain 
pending. 

Listing of Claims: 

1 . (Currently amended) A method in a network access device comprising: 
without proxying, analyzing each of a stream of packets traversing a single 

connection through the network access device from an external host to a 
protected host; 

forwarding each allowed packet of the stream of packets as long as the connection 
is activ e, wherein forwarding each allowed packet comprises transmitting 
a message indicating that each allowed packet is allowed: and 

if one of the stream of packets is determined to be disallowed by said analyzing, 
then discarding the disallowed packet and terminating the connection, 
causing the protected host to discard those packets received on the 
terminated connection. 

2. (Original) The method of claim 1 wherein analyzing each of the stream of packets 
comprises inspecting a header of each of the stream of packets against a packet filter. 
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3. (Original) The method of claim 1 wherein analyzing each of the stream of packets 
comprises inspecting a payload of each of the stream of packets for disallowed content. 

4. (Original) The method of claim 3 wherein inspecting the payload of each of the 
stream of packets comprises copying the payload, analyzing the payload, and discarding 
the corresponding packet if the payload is threatening. 

5. (Original) The method of claim 1 further comprising: 

copying a payload from each of a plurality of packets that comprise a file, the 

stream of packets including the plurality of packets; 
forwarding all but the last of the plurality of packets to the protected host; 
reassembling the plurality of packets into the file; 
analyzing the file; 

if the file is a threatening file then discarding the last packet and terminating the 

connection; and 
if the file is non-threatening, then forwarding the last packet. 

6. (Currently amended) A computer implemented method comprising: 
copying a packet payload of each of a plurality of packets received on a single 

connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets; 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

maintaining the connection while analyzing the file, said maintaining comprising 
copying each of the plurality of packets but the last packet before 
forwarding each of the plurality of packets, and 



Attorney's Docket Number 46I9.P027 



3 



AppL Ser. No. 10/697,846 



holding the last packet and repeatedly forwarding the last copied packet; 
if the file is allowed, then forwarding the last packet to the protected host; and 
if the file is determined to be disallowed, then dropping the last packet and 

terminating the connection. 

7. (Original) The computer implemented method of claim 6 wherein the analyzing 
the file comprises performing anti-virus analysis on the file. 

8. (Original) The computer implemented method of claim 6 further comprising: 
analyzing a header of each of the stream of packets; and 

if one of the stream of packets is determined to be disallowed, then discarding the 
disallowed packet and terminating the connection. 

9. (Original) The computer implemented method of claim 8 wherein analyzing the 
header comprises inspecting addresses indicated in the header against a packet filter. 

10. (Original) The computer implemented method of claim 6 further comprising: 
individually analyzing each of the copied packet payloads; and 

if one of the copied packet payloads is determined to be threatening, then 

discarding the corresponding packet and terminating the connection. 

1 1 . (Original) The computer implemented method of claim 1 0 wherein analyzing 
each of the copied packet payloads comprises inspecting each copied packet payload 
against a list of disallowed content and determining if each copied packet payload 
includes threatening script. 

12. (Canceled). 
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13. (Currently amended) A [[The]] computer implemented method comprising: ef 
claim 12 

copying a packet pavload of each of a plurality of packets received on a single 
connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets: 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

maintaining the connection while analyzing the file, wherein maintaining the 
connection comprises: 
decapsulating the last packet's payload[[;]] a 
fragmenting the last packet's payload into subparts[[;]] a 
encapsulating each subpart[[;]] a and 
forwarding each subpart until analysis is complete; 

if the file is allowed, then forwarding the last packet to the protected host; and 

if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection . 



14. (Canceled). 



1 5. (Currently amended) The computer implemented method of claim [[12]] 
wherein maintaining the connection comprises increasing transmission latency of each 
acknowledgement transmitted from the protected host to the external host until the 
analysis is complete. 
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1 6. (Currently amended) A [[The]] computer implemented method comprising: ef 
oloim 6 

copying a packet pavload of each of a plurality of packets received on a single 
connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets; 

forwarding all but the last of the plurality of packets to the protected host; 

reassembling the copied packet payloads into a file; 

analyzing the file to determine if the file is allowed or disallowed; 

if the file is allowed, then forwarding the last packet to the protected host, wherein 
forwarding each of the plurality of packets comprises transmitting a 
message indicating that each of the of the plurality of packets is allowed; 
and 

if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection . 



1 7. (Currently amended) A computer implemented method comprising: 
supporting a connection from an external host to a protected host; 
analyzing a header of each packet received over the connection from the external 
host; 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload; 
analyzing the first packet's payload; 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet; 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host; 
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if said first packet's payload is the last block of a file, then reassembling the first 

packet's payload with a set of one or more previously copied packet 

payloads into the file; 
analyzing the file to determine if the file is allowed or disallowed; 
maintaining the connection while analyzing the file, said maintaining comprising 

copying each of the plurality of packets but the last packet before 
forwarding each of the plurality of packets, and 

holding the last packet and repeatedly forwarding the last copied packet: 
if the file is disallowed then dropping the first packet and terminating the 

connection; and 
if the file is allowed then forwarding the first packet. 



18. (Canceled). 



1 9. (Currently amended) A [[The]] computer implemented method comprising: ef 
claim 1 8 

supporting a connection from an external host to a protected host; 
analyzing a header of each packet received over the connection from the external 
host; 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload; 
analyzing the first packet's payload; 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet; 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host; 
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if said first packet's pavload is the last block of a file, then reassembling the first 
packet's pavload with a set of one or more previously copied packet 
pavloads into the file: 

analyzing the file to determine if the file is allowed or disallowed; 

maintaining the connection while analyzing the file, wherein maintaining the 
connection comprises: 
decapsulating the last packet's payload[[;]] A 
fragmenting the last packet's payload into subparts[[;]] a 
encapsulating each subpart[[;]] a and 
forwarding each subpart until analysis is complete; 

if the file is disallowed then dropping the first packet and terminating the 
connection: and 

if the file is allowed then forwarding the first packet . 

20. (Canceled). 

2 1 . (Currently amended) The computer implemented method of claim 17^ [[18]] 
wherein maintaining the connection comprises increasing transmission latency of each 
acknowledgement transmitted from the protected host to the external host until the 
analysis is complete. 

22. (Currently amended) The computer implemented method of claim [[6]] J7 
wherein the analyzing the file comprises performing anti-virus analysis on the file. 

23. (Currently amended) The computer implemented method of claim [[8]] 17 
wherein analyzing the header comprises inspecting addresses indicated in the header 
against a packet filter. 
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24. (Currently amended) The computer implemented method of claim [[ 1 0]] 17. 
wherein analyzing the first packet's pavload oaoh of th e oopiod packet payloado 
comprises inspecting the first packet's oaoh oopiod packet payload against a list of 
disallowed content and determining if the first packet's oaoh copied pack e t payload 
includes threatening script. 

25. (Currently amended) An apparatus comprising: 

a forwarding module to forward packets of a datastream along a connection 
between a protected host and an external host; and 

a datastream analysis module coupled with the forwarding module, the datastream 
analysis module to analyze each of the packets to determine if each of the 
packets are allowed or disallowed and to terminate the connection upon 
determining one of the packets to be disallowed and to discard the 
disallowed packet, causing the protected host to discard packets received 
on the terminated connection prior to the disallowed packe t, wherein the 
forwarding module is operable to maintain the connection while the 
analysis module is analyzing the packets by copying each of the packets 
but the last packet before forwarding each of the packets, and holding the 
last packet and repeatedly forwarding the last copied packet . 

26. (Original) The apparatus of claim 25 further comprising a memory to store each 
of the packets until forwarded or discarded. 

27. (Original) The apparatus of claim 25 further comprising a memory coupled with 
the datastream analysis module, the memory to store copies of each of the packets' 
payloads. 
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28 . (Currently amended) A machine readable medium physjeaTmachine-acGegstbte 
storage medium t hat provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 

without proxying, analyzing each of a stream of packets traversing a single 

connection through the network access device from an external host to a 
protected host; 

forwarding each allowed packet of the stream of packets as long as the connection 
is activ e, wherein forwarding each allowed packet comprises transmitting 
a message indicating that each allowed packet is allowed ; and 

if one of the stream of packets is determined to be disallowed by said analyzing, 
then discarding the disallowed packet and terminating the connection, 
causing the protected host to discard those packets received on the 
terminated connection. 

29. (Currently amended) The machin e r e adabl e medium phvsie^machine-accgsgftfle 
storage medium o f claim 28 wherein analyzing each of the stream of packets comprises 
inspecting a header of each of the stream of packets against a packet filter. 

30. (Currently amended) The machin e r e adabl e m e dium physregTmachine-aceesSffile 
storage medium o f claim 28 wherein analyzing each of the stream of packets comprises 
inspecting a payload of each of the stream of packets for disallowed content. 

3 1 . (Currently amended) The machin e r e adabl e m e dium physical m achi ne- aceessrtrfe 
storage medium o f claim 30 wherein inspecting the payload of each of the stream of 
packets comprises copying the payload, analyzing the payload, and discarding the 
corresponding packet if the payload is threatening. 
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32. (Currently amended) The machin e readabl e medium _nh¥3iCSl machine- 




storage medium o f claim 28 further comprising: 

copying a payload from each of a plurality of packets that comprise a file, the 

stream of packets including the plurality of packets; 
forwarding all but the last of the plurality of packets to the protected host; 
reassembling the plurality of packets into the file; 
analyzing the file; 

if the file is a threatening file then discarding the last packet and terminating the 
connection; and 

if the file is non-threatening, then forwarding the last packet. ^ 

33. (Currently amended) A machine r e adable medium phvek^machine-accessTWe 
storage medium t hat provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 

copying a packet payload of each of a plurality of packets received on a single 
connection between an external host and a protected host that carries a 
stream of packets the stream of packets including the plurality of packets; 
forwarding all but the last of the plurality of packets to the protected host , wherein 
forwarding each of the plurality of packets comprises transmitting a 
message indicating that each of the of the plurality of packets is allowed: 
reassembling the copied packet payloads into a file; 
analyzing the file to determine if the file is allowed or disallowed; 
if the file is allowed, then forwarding the last packet to the protected host; and 
if the file is determined to be disallowed, then dropping the last packet and 
terminating the connection. 
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34. (Currently amended) The machine readable m odium physical machine-accessible 
storage medium of claim 33 wherein the analyzing the file comprises performing anti- 
virus analysis on the file. 

35. (Currently amended) The machin e r e adable medium physieal machine-accessible 
storage medium o f claim 33 further comprising: 

analyzing a header of each of the stream of packets; and 

if one of the stream of packets is determined to be disallowed, then discarding the 
disallowed packet and terminating the connection. 

36. (Currently amended) The machine readable medium ph^sieafmachine-accessifile 
storage medium of claim 35 wherein analyzing the header comprises inspecting addresses 
indicated in the header against a packet filter. 

37. (Currently amended) The machin e r e adabl e medium vhuskzA machine-accessible 
storage medium of claim 33 further comprising: 

individually analyzing each of the copied packet payloads; and 

if one of the copied packet payloads is determined to be threatening, then 

discarding the corresponding packet and terminating the connection. 

38. (Currently amended) The maohino readable medium ^h^sk^fmachine-acxessftyl^ 
storage medium of claim 37 wherein analyzing each of the copied packet payloads 
comprises inspecting each copied packet payload against a list of disallowed content and 
determining if each copied packet payload includes threatening script. 
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39. (Currently amended) The machine roadablo medium physkgTmachine-accssstBTe 
storage medium of claim 33 further comprising maintaining the connection while 
analyzing the file. 



40. (Currently amended) Th e machin e r e adabl e m e dium A physical machine- 
accessible storage medium that provides instructions, which when executed by a set of 
one or more processors, cause said set of processors to perform operations comprising: ef 
claim 39 

copying a packet pavload of each of a plurality of packets received on a single connection 
between an external host and a protected host that carries a stream of packets the 
stream of packets including the plurality of packets: 
forwarding all but the last of the plurality of packets to the protected host: 
reassembling the copied packet pavloads into a file: // / 

analyzing the file to determine if the file is allowed or disallowed: 
maintaining the connection while analyzing the file, wherein maintaining the connection 
comprises: 

decapsulating the last packet's payload[[;]] 4 

fragmenting the last packet's payload into subparts[[;]] 4 

encapsulating each subpart[[;]] A and 

forwarding each subpart until analysis is complete; 
if the file is allowed, then forwarding the last packet to the protected host: and 
if the file is determined to be disallowed, then dropping the last packet and terminating 

the connection. 



41 . (Currently amended) Th e machin e readable medium A j)hysieafr machine- 
accessible storage medium that provides instructions, which when executed by a set of 
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one or more processors, cause said set of processors to perform operations comprising: ef 
olaim 39 

copying a packet pavload of each of a plurality of packets received on a single connection 
between an external host and a protected host that carries a stream of packets the 
stream of packets including the plurality of packets: 

forwarding all but the last of the plurality of packets to the protected host: 
reassembling the copied packet payloads into a file: 
analyzing the file to determine if the file is allowed or disallowed: 

maintaining the connection while analyzing the file, wherein maintaining the connection 
comprises: 

copying each of the plurality of packets but the last packet before forwarding each 

of the plurality of packets[[;]] A and 
holding the last packet and repeatedly forwarding the last copied packet; 
if the file is allowed, then forwarding the last packet to the protected host: and 
if the file is determined to be disallowed, then dropping the last packet and 

terminating the connection . 

42. (Currently amended) The machine readable medium physiefll machine-acGesstfile 
storage medium o f claim 39 wherein maintaining the connection comprises increasing 
transmission latency of each acknowledgement transmitted from the protected host to the £ 
external host until the analysis is complete. 

43. (Canceled). 

44. (Currently amended) A maohin e r e adabl e medium phssieatlnachine-acce68tbte 
storage medium that provides instructions, which when executed by a set of one or more 
processors, cause said set of processors to perform operations comprising: 
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supporting a connection from an external host to a protected host; 
analyzing a header of each packet received over the connection from the external 
host; 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload; 
analyzing the first packet's payload; 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet; 
if the connection has not been terminated and if said first packet's payload is not a 

last block of a file, then forwarding said first packet to the protected host; 
if said first packet's payload is the last block of a file, then reassembling the first 

packet's payload with a set of one or more previously copied packet 

payloads into the file; 
analyzing the file to determine if the file is allowed or disallowed; 
maintaining the connection while analyzing the file, said maintaining comprising 

decapsulating the last packers payload, 

fragmenting the last packers payload into subparts. 



forwarding each subpart until analysis is complete: 
if the file is disallowed then dropping the first packet and terminating the 

connection; and 
if the file is allowed then forwarding the first packet. 

45. (Canceled). 

46. (Canceled). 



encapsulating each subpart, and 
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47. (Currently amended) Th e machin e r e adabl e m e dium A physkgfmachine- 
accessible storage medium that provides instructions, which when executed by a set of 
one or more processors, cause said set of processors to perform operations comprising: ef 
olaim 15 

su pporting a connection from an external host to a protected host: 
analyzing a header of each packet received over the connection from the external 
host: 

terminating the connection if a first packet received over the connection is 

determined to be disallowed and discarding the first packet; 
if the connection is not terminated, copying the first packet's payload: 
analyzing the first packet's pavload: 

terminating the connection if said first packet's payload is determined to be 

disallowed and discarding the first packet: 
if the connection has not been terminated and if said first packet's pavload is not a 

last block of a file, then forwarding said first packet to the protected host: 
if said first packet's pavload is the last block of a file, then reassembling the first 

packet's pavload with a set of one or more previously copied packet 

pavloads into the file: 
analyzing the file to determine if the file is allowed or disallowed; 
maintaining the connection while analyzing the file, w herein maintaining the 

connection comprises: 

copying each of the plurality of packets but the last packet before 

forwarding each of the plurality of packets[[;]] a and 
holding the last packet and repeatedly forwarding the last copied packet; 
if the file is disallowed then dropping the first packet and terminating the 
connection; and 
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if the file is allowed then forwarding the first packet . 

48. (Currently amended) The machine readable medium physk^machine-accessttfle 
storage medium o f claim [[45]] 44» wherein maintaining the connection comprises 
increasing transmission latency of each acknowledgement transmitted from the protected 
host to the external host until the analysis is complete. 

49. (Currently amended) The machin e readable medium physical machine-qccessTbR* 
storage medium o f claim [[33]] 44 wherein the analyzing the file comprises performing 
anti-virus analysis on the file. 

50. (Currently amended) The machin e r e adabl e medium physicSf machine-accessible 
storage medium o f claim [[35]] 44 wherein analyzing the header comprises inspecting 
addresses indicated in the header against a packet filter. 

5 1 . (Currently amended) The machine readable medium physical machine-accessible 
storage medium of claim [[37]] 44 wherein analyzing the first packet's pavload e aeh-ef 
the copied packet payloads comprises inspecting the first packet's e ach copi e d pack e t 
payload against a list of disallowed content and determining if the first packet's e aeh 
copied packet payload includes threatening script. 
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